Azure Network Watcher

Azure maintains the Network fabric and provides the converged or virtualized network layer to customers. In complex or multi-region deployments where applications are spread across multiple servers it is important to have network packet capture tools, troubleshoot VPN related issues or have holistic view of network security rules to identify and solve the problem the application. Azure network watcher solves this problem.

Network Watcher has cost involved and is not a free service from Microsoft

Packet Capture requires agent deployment & currently Windows and Linux agents are supported. See below for steps to deploy agent

Network watcher has multiple Azure managed resources and it creates the resources in its own Resource Group within your subscription

Network Wather doesn’t span across subscriptions. Each subscription and each region where network watcher is needed requires deployment

Install Network Watcher

Login to Azure Portal(https://portal.azure.com) and search for Network Watcher in the list of services. Right click on the regions where you want to deploy Network Watcher and select Enable Network Watcher

Once deployed, you would see Network Watcher resource group in your subscription with resources in enabled location.

Please ensure that you select Show hidden types to see the resources.

IP Flow Verify

IP Flow Verify checks if the packet is allowed to or from a Virtual machine on specific source / target IP address & on specific ports. If the traffic is blocked by a Network Security Group then the NSG that blocks the traffic is listed.

In the example below, we have tested traffic flow from Virtual Machine to a specific web server IP on Port 80. Please note that you can’t select either IP range or Port range with this feature yet, something that I would have liked.

Next Hop

If you have leveraged Express Route, VPN Gateways, VNET Peering and/or User Defined Routing then you would know the importance of knowing the Next Hop address. Azure maintains System table, user defined routing, express route and peering table that defines where the next hop should be. Sometimes if routing misbehaves then it is important to know the Next Hop address using a tool.

Now when we fill the section and click on Next Hop , you see that the next hop shown here is System Route.

Security Group View

Security groups can be assigned to Subnets and Network interfaces of a VM. When applied to subnet the rule applies to all Virtual machines associated with the subnet. There can be multiple NSGs applied that can allow or block the traffic.

Security Group view show the NSGs applied to a particular network interface & shows its effective route.

Packet Capture

Packet Capture can be used to capture network traffic just like what ethreal does. Please ensure that you capture the logs only when it is needed else the size of log file can be huge based on network traffic.

As mentioned earlier, packet capture require agent installation. Let us install the agent on the one of the VM. Go to Azure Portal, select VM select Extensions and Add –> Network Watcher for Windows

Once installed, Extensions will show in the list of extensions

Once agent is installed. Go to Network Watcher tool in Azure and select Packet Capture & add a packet capture

Once setup correctly, you would see it running to capture the traffic.

Please note that you need to stop the Packet Capture for log to create.

Once stopped the packet capture log, go to the storage account Blob storage and look for captured logs.